LITEWORP: A Lightweight Countermeasure for the Wormhole ... · protocols and routing protocols....
Transcript of LITEWORP: A Lightweight Countermeasure for the Wormhole ... · protocols and routing protocols....
1
LITEWORP: A Lightweight Countermeasure for the Wormhole Attack in Multihop
Wireless Networks
Issa Khalil, Saurabh Bagchi, Ness B. Shroff Dependable Computing Systems Lab and Center for Wireless Systems and Applications (CWSA)
School of Electrical & Computer Engineering, Purdue University 465 Northwestern Avenue, West Lafayette, IN 47907.
Email: {ikhalil, sbagchi, shroff}@purdue.edu Ph. 765-494-3362 Contact author: Saurabh Bagchi
Abstract
In multihop wireless systems, such as ad-hoc and sensor networks, the need for cooperation among nodes to
relay each other’s packets exposes them to a wide range of security attacks. A particularly devastating attack is
known as the wormhole attack, where a malicious node records control and data traffic at one location and tunnels
it to a colluding node, which replays it locally. This can have an adverse effect in route establishment by
preventing nodes from discovering routes that are more than two hops away. In this paper, we present a
lightweight countermeasure for the wormhole attack, called LITEWORP, which does not require specialized
hardware. LITEWORP is particularly suitable for resource-constrained multihop wireless networks, such as sensor
networks. In this paper, we present a detailed description of LITEWORP for static networks, and discuss extensions
to mobile networks. Our solution allows detection of the wormhole, followed by isolation of the malicious nodes.
Simulation results show that every wormhole is detected and isolated within a very short period of time over a
large range of scenarios. The results also show that the fraction of packets lost due to the wormhole when
LITEWORP is applied is negligible compared to the loss encountered when the method is not applied.
Keywords: Wireless sensor and ad-hoc networks, neighbor watch, wormhole attack, compromised node
detection, compromised node isolation.
1 Introduction
Ad-hoc and sensor networks are emerging as a promising platform for a variety of application areas in both
military and civilian domains. These networks are especially attractive for scenarios where it is infeasible or
expensive to deploy significant networking infrastructure. Initial research efforts have focused on the realization
and practical implementation of these networks by focusing on their functional attributes such as data aggregation
2
protocols and routing protocols. However, the open nature of the wireless communication channels, the lack of
infrastructure, the fast deployment practices, and the hostile environments where they may be deployed, make
them vulnerable to a wide range of security attacks. These attacks could involve eavesdropping, message
tampering, or identity spoofing, that have been addressed by customized cryptographic primitives in the wired
domain. Alternately, the attacks may be targeted to the control or the data traffic in wireless networks, such as the
blackhole attack [12] and the rushing attack [16]. Since many multihop wireless environments are resource-
constrained (e.g., bandwidth, power, or processing), providing detection and countermeasures to such attacks
often turn out to be more challenging than in wired networks.
A particularly severe security attack, called the wormhole attack, has recently been introduced in the context of
ad-hoc networks [12], [14], [15]. During the attack, a malicious node captures packets from one location in the
network, and “tunnels” them to another malicious node at a distant point, which replays them locally. The tunnel
can be established in many different ways, such as through an out-of-band hidden channel (e.g., a wired link),
packet encapsulation, or high powered transmission. This tunnel makes the tunneled packet arrive either sooner or
with lesser number of hops compared to the packets transmitted over normal multihop routes. This creates the
illusion that the two end points of the tunnel are very close to each other. A wormhole tunnel can actually be
useful if used for forwarding all the packets. However, in its malicious incarnation, it is used by attacking nodes
to subvert the correct operation of ad-hoc and sensor network routing protocols. The two malicious end points of
the tunnel may use it to pass routing traffic to attract routes through them. They can then launch a variety of
attacks against the data traffic flowing on the wormhole, such as selectively dropping the data packets. The
wormhole attack can affect network routing, data aggregation and clustering protocols, and location-based
wireless security systems. Finally, it is worth noting that the wormhole attack can be launched even without
having access to any cryptographic keys or compromising any legitimate node in the network.
In this paper, we present a simple lightweight protocol, called LITEWORP, to detect and mitigate wormhole
attacks in ad-hoc and sensor wireless networks. LITEWORP uses secure two-hop neighbor discovery and local
monitoring of control traffic to detect nodes involved in the wormhole attack. It provides a countermeasure
technique that isolates the malicious nodes from the network thereby removing their ability to cause future
damage. We provide a novel taxonomy of the different ways in which wormhole attacks can be launched and
3
show how LITEWORP can be used to handle all but one of these attack modes. LITEWORP has several features that
make it especially suitable for resource-constrained wireless environments, such as sensor networks. LITEWORP
does not require any specialized hardware, such as directional antennas or fine granularity clocks. It does not
require any time synchronization between the nodes in the network. It does not increase the size of the network
traffic, and incurs negligible bandwidth overhead, only at initialization and on detection of a wormhole. The
lightweight feature of LITEWORP is in contrast to other countermeasures for wormhole attacks, which have
requirements (e.g. directional antennas [15], highly accurate time measurement [28], and clock synchronization
[14]) that often make them impractical for sensor networks and infeasible for many classes of ad-hoc networks.
In this paper, we present a coverage analysis of LITEWORP and show the relation between the number of nodes
required for local monitoring, called the guards, and the probability of false or missed detection. Also, we build a
simulation model for LITEWORP using the network simulator ns-2 and perform comparative evaluation of a
network with and without the technique. The results show that LITEWORP can achieve 100% detection of the
wormholes for a wide range of network densities. They also show that detection and isolation of the nodes
involved in the wormhole can be achieved in a negligible time after the attack starts, and that the cumulative
number of lost packets and malicious routes established do not grow because wormholes are identified and
isolated. Finally, we provide analysis for the storage, computational, and bandwidth overheads incurred by
LITEWORP, and demonstrate its lightweight nature.
The rest of the paper is organized as follows. Section 2 presents related work in the field of wormhole
detection and mitigation. Section 3 describes a taxonomy of the wormhole attack modes. Section 4 describes the
LITEWORP protocol and its defenses against the various modes of the wormhole attack. Section 5 presents
coverage and cost analysis of LITEWORP. Section 6 presents simulation results. Finally, Section 7 discusses some
extensions and concludes the paper.
2 Related Work
The wormhole attack in wireless networks was independently introduced by Dahill [1], Papadimitratos [4], and
Hu [14]. Initial proposals to thwart wormhole attacks suggest using secure modulation of bits over the wireless
channel that can be demodulated only by authorized nodes. This only defends against outside attackers who do
4
not possess cryptographic keys. A similar approach called RF watermarking [24] modulates the radio waveform
in a specific pattern and any change to the pattern is used as the trigger for detection. This mechanism will fail to
prevent a wormhole if the waveform is accurately captured at the receiving end of the wormhole and exactly
replicated at the transmitting end.
Hu et al. [14] introduce the concept of geographical and temporal packet leashes for detecting wormholes.
They define a leash to be any added information to the packet for the purpose of defending against the wormhole.
The geographical leashes ensure that the recipient of the packet is within a certain distance from the sender. They
require each node to know its own location, and require all the nodes to have loosely synchronized clocks. When
sending a packet, the sending node includes in the packet an authenticated version of its own location and the time
at which it sent the packet. The receiving node uses these values, in addition to its own location and the time at
which it receives the packet, to compute an upper bound on the distance to the sender. The temporal leashes
ensure that the packet has an upper bound on its lifetime, which restricts the maximum travel distance. They
require that all nodes have tightly synchronized clocks. The sender includes in each packet an authenticated
version of the time of sending. The receiver compares this value to the time at which it received the packet. Based
on the time delay and the speed of light, the receiver can determine if the packet has traveled too far. An implicit
assumption is that packet processing, sending, and receiving delays are negligible. Both geographical and
temporal leashes need to add authentication data to each packet to protect the leash, which add processing and
communication overhead. In addition a large amount of storage is needed at each node since a hash tree based
authentication scheme is used [32]. If only loose time synchronization is possible, the smallest packet size that can
be authenticated becomes large (e.g., 4900 bytes with 1 s synchronization). Perhaps, more importantly, packet
leashes do not nullify the capacity of the compromised nodes from launching attacks in the future.
Capkun et al. [28] present SECTOR, a set of mechanisms for the secure verification of the time of encounters
between nodes in multihop wireless networks. They show how to detect wormhole attacks without requiring any
clock synchronization through the use of MAD (Mutual Authentication with Distance-Bounding). Each node u
estimates the distance to another node v by sending it a one bit challenge, which node v responds to
instantaneously. Using the time of flight, node u detects if node v is a neighbor or not. The approach uses special
hardware for the challenge request-response and accurate time measurements.
5
Hu and Evans [15] use directional antennas [25],[26] to prevent the wormhole attack. To thwart the wormhole,
each node shares a secret key with every other node and maintains an updated list of its neighbors. To discover its
neighbors, a node, called the announcer, uses its directional antenna to broadcast a HELLO message in every
direction. Each node that hears the HELLO message sends its identity and an encrypted message, containing the
identity of the announcer and a random challenge nonce, back to the announcer. Before the announcer adds the
responder to its neighbor list, it verifies the message authentication using the shared key, and that it heard the
message in the opposite directional antenna to that reported by the neighbor. This approach is suitable for secure
dynamic neighbor detection. However, it only partially mitigates the wormhole problem. Specifically, it only
prevents the kind of wormhole attacks in which malicious nodes try to deceive two nodes into believing that they
are neighbors. This is only one of the five wormhole attack modes that we describe in Section 3. The requirement
of directional antennas on all nodes may be infeasible for some deployments. Finally, the protocol may degrade
the connectivity of the network by rejecting legitimate neighbors in their conservative approach to prevent
wormholes from materializing. Awerbuch et al. [27] present a protocol called ODSBR that does not prevent the
wormhole from happening but tries to mitigate its consequences through discovery and avoidance. The technique
suffers from the drawback that every single packet needs to be acknowledged by the destination and many packets
could be lost before the wormhole is discovered.
3 Wormhole Attack Modes
In this section we classify the wormhole attack based on the techniques used for launching it.
3.1 Wormhole using Encapsulation
Wormhole attacks are particularly severe against many ad-hoc and sensor network routing protocols, such as
the two ad-hoc on-demand routing protocols DSR [10] and AODV [21], and the sensor TinyOS beaconing routing
protocol [12]. First, we demonstrate how a generic wormhole attack is launched against such routing protocols,
using DSR as an example. In DSR, if a node, say S, needs to discover a route to a destination, say D, S floods the
network with a route request packet. Any node that hears the request packet transmission processes the packet,
adds its identity to the source route, and rebroadcasts it. To limit the amount of flooding through the network,
each node broadcasts only the first route request it receives and drops any further copies of the same request. For
6
each route request D receives, it generates a route reply and sends it back to S. The source S then selects the best
path from the route replies; the best path could be either the path with the shortest number of hops or the path
associated with the first arrived reply. However, in a malicious environment, this protocol will fail. When a
malicious node at one part of the network hears the route request packet, it tunnels it to a second colluding party
at a distant location near the destination. The second party then rebroadcasts the route request. The neighbors of
the second colluding party receive the route request and drop any further legitimate requests that may arrive later
on legitimate multihop paths. The result is that the routes between the source and the destination go through the
two colluding nodes that will be said to have formed a wormhole between them. This prevents nodes from
discovering legitimate paths that are more than two hops away.
One way for two colluding malicious nodes can involve themselves in a route is by simply giving the false
illusion that the route through them is the shortest, even though they may be many hops away. Consider Figure 1
in which nodes A and B try to discover the shortest path between them, in the presence of the two malicious nodes
X and Y. Node A broadcasts a route request (REQ), X gets the REQ and encapsulates it in a packet destined to Y
through the path that exists between X and Y (U-V-W-Z). Node Y demarshalls the packet, and rebroadcasts it
again, which reaches B. Note that due to the packet encapsulation, the hop count does not increase during the
traversal through U-V-W-Z. Concurrently, the REQ travels from A to B through C-D-E. Node B now has two
routes, the first is four hops long (A-C-D-E-B), and the second is apparently three hops long (A-X-Y-B). Node B
will choose the second route since it appears to be the shortest while in reality it is seven hops long. So X and Y
succeed in involving themselves in the route between A and B. Any routing protocol that uses the metric of
shortest path to choose the best route is vulnerable to this mode of wormhole attack.
A
BC
X
Y
D EGood node Malicious node
U V WZ
ab
gd
Figure 1: Wormhole through packet encapsulation
A
BC
X Y
D E F
Good node Malicious node
a
b
d
gZ
Out-of-band channel
Figure 2: Wormhole through out-of-band channel
7
This mode of the wormhole attack is easy to launch since the two ends of the wormhole do not need to have
any cryptographic information, nor do they need any special capabilities, such as a high speed wireline link or a
high power source. A simple way of countering this mode of attack is a by-product of the secure routing protocol
ARAN [17], which chooses the fastest route reply rather than the one which claims the shortest number of hops.
This was not a stated goal of ARAN, whose motivation was that a longer, less congested route is better than a
shorter and congested route.
3.2 Wormhole using Out-of-Band Channel
This mode of the wormhole attack is launched by having an out-of-band high-bandwidth channel between the
malicious nodes. This channel can be achieved, for example, by using a long-range directional wireless link or a
direct wired link. This mode of attack is more difficult to launch than the previous one since it needs specialized
hardware capability. Consider the scenario depicted in Figure 2. Node A is sending a route request to node B,
nodes X and Y are malicious having an out-of-band channel between them. Node X tunnels the route request to Y,
which is a legitimate neighbor of B. Node Y broadcasts the packet to its neighbors, including B. Node B gets two
route requests — A-X-Y-B and A-C-D-E-F-B. The first route is both shorter and faster than the second, and is thus
chosen by B. This results in a wormhole being established between X and Y on the route between A and B.
3.3 Wormhole using High Power Transmission
In this mode, when a single malicious node gets a route request, it broadcasts the request at a high power
level, a capability which is not available to other nodes in the network. Any node that hears the high-power
broadcast, rebroadcasts it towards the destination. By this method, the malicious node increases its chance to be in
the routes established between the source and the destination even without the participation of a colluding node. A
simple method to mitigate this attack is possible if each node can accurately measure the received signal strength
and has models for signal propagation with distance. In that case, a node can independently determine if the
transmission it receives is at a higher than allowable power level. However, this technique is approximate at best
and dependent on environmental conditions. The local monitoring approach used in LITEWORP provides a more
feasible defense against this mode.
8
3.4 Wormhole using Packet Relay
In this mode of the wormhole attack, a malicious node relays packets between two distant nodes to convince
them that they are neighbors. It can be launched by even one malicious nodes. Cooperation by a greater number of
malicious nodes serves to expand the neighbor list of a victim node to several hops. For example, assume that
node A and node B are two non-neighbor nodes with a malicious neighbor node X. Node X can relay packets
between nodes A and B to give them the illusion that they are neighbors.
3.5 Wormhole using Protocol Deviations
Some routing protocols, such as ARAN [17], choose the route with the shortest delay in preference to the one
with the shortest number of hops. During the route request forwarding, the nodes typically back off for a random
amount of time before forwarding. This is motivated by the fact that the request forwarding is done by
broadcasting and hence, reducing MAC layer collisions is important. A malicious node can create a wormhole by
simply not complying with the protocol and broadcasting without backing off. The purpose is to let the request
packet it forwards arrive first at the destination. This increases the probability that the route between the source
and the destination will include the malicious node. This is a special form of the rushing attack described in [16].
Mode name Minimum # of compromised nodes
Special requirements
Packet encapsulation Two None Out-of-band channel Two Out-of-band link High power transmission One High energy source Packet relay One None Protocol deviations One None
Table 1: Summary of wormhole attack modes
Summarizing, the different modes of the
wormhole attack along with the associated
requirements are given in Table 1. Many
applications in ad-hoc and sensor networks
become vulnerable once a successful wormhole
attack has been launched. Routing is an important example. As we discussed in Section 3, on demand ad-hoc
routing protocols like DSR and AODV, and the sensor TinyOS routing protocol are highly vulnerable to the
attack. Other routing protocols like SEAD [2], Ariadne [3], ARRIVE [11], directed diffusion [5], multipath
routing [6], minimum cost forwarding [7], rumor routing [8], and even secure routing protocols presented in [4]
and [13] are also vulnerable to wormhole attacks. For further details on the vulnerability of routing protocols, the
reader may refer to [14]. Moreover, all the protocols that are used in building neighbor lists and, by extension, the
routing protocols (e.g. DSDV [9], OLSR [22], and TBRPF [23]) that use these lists, are vulnerable as well.
9
4 Defenses
In this section, we describe the method for wormhole detection in LITEWORP followed by the method for
isolation of the malicious nodes. This is described in the context of static networks, while an extension to mobile
wireless networks is briefly described in Section 7.
4.1 System Model and Assumptions
Attack Model: In the attack model that we consider, the wormhole is launched by a malicious node, which may be
either an external node that does not have the cryptographic keys, or an insider node, that possesses the keys. The
insider node may be created, for example, by compromising a legitimate node. All these malicious nodes can
exhibit Byzantine behavior and can collude amongst themselves. The malicious node can be a powerful entity that
can establish out-of-band fast channels or have high powered transmission capability.
System assumption: We assume that the links are bi-directional, which means that if a node A can hear node B
then B can hear A. We assume that there is a certain amount of time from a node’s deployment, called the
compromise threshold time (TCT) that is minimally required to compromise the node. We have a protocol
presented in Section 4.2.1 for discovery of first and second hop transmission neighbors of a node. We define the
maximum time required for the neighbor discovery protocol to complete as TND (ND: Neighbor Discovery). Our
assumption is that for a given node ni, all its first and second hop neighbors are deployed within TCT-2TND of the
deployment of ni. This assumption implies that there can be no malicious insider node within two hops of ni
within TND time units from its deployment. Note however, that this assumption allows external malicious nodes to
exist anywhere in the network at any time of deployment. Further, insider malicious nodes, that are greater than
two hops from ni are allowed. We assume that the network has a static topology, though the functional roles a
node plays (e.g., cluster head, data aggregator, etc.) may change. Finally, LITEWORP requires a pre-distribution
pair-wise key management protocol (e.g. [18] for ad-hoc networks and [19],[20] for sensor networks). The key
management does not incur any overhead during the normal failure-free functioning of the network but only at
initialization time and during isolation of a malicious node. From the point of view of LITEWORP, incremental
deployment of a node in the network is identical to having a mobile node move to its location. This can be
handled by augmenting LITEWORP with a dynamic neighbor discovery protocol as in [15],[16].
10
4.2 Wormhole Defense using Local Monitoring
4.2.1 Information Structures
Building Neighbor Lists: As soon as a node, say A, is deployed in the field, it does a one-hop broadcast of a
HELLO message. Any node, say B, that hears the message, sends back an authenticated reply to A, using the
shared key. Node A accepts all the replies that arrive within a timeout. For each reply, A verifies the authenticity
of the reply and adds the responder to its neighbor list RA. Then A does a one-hop broadcast of a message
containing the list RA. This broadcast is authenticated individually by the shared key with each member in RA.
When B hears the broadcast, it verifies the authenticity of RA, and stores RA if correctly verified. Hence, at the end
of this neighbor discovery process, each node has a list of its direct neighbors and the neighbors of each one of its
direct neighbors. Note that this requires a larger memory than simply keeping a list of first hop and second hop
neighbors. This process is performed only once in the lifetime of a node and is secure because of the system
model assumptions. Henceforth, a node will not accept a packet from a node that is not a neighbor nor forward to
a node that is not a neighbor. Also, second hop neighbor information is used to determine if a packet is legitimate
or not. If a node C receives a packet forwarded by B purporting to come from A in the previous hop, C discards
the packet if A is not a second hop neighbor. After building its first and second hop neighbor list, node A activates
local monitoring.
Local Monitoring: A collaborative detection strategy for wormholes is used, where a node monitors the traffic
going in and out of its neighbors. For a node, say a, to be able to watch a node say, b, two conditions are required:
(i) each packet forwarder must explicitly announce the immediate source of the packet it is forwarding, i.e., the
node from which it receives the packet, and (ii) a must be a neighbor of both b and the previous hop from b, say
d. If the second condition is satisfied, we call a the guard node for the link from d to b. This implies that α is the
guard node for all its outgoing links. For example, in Figure 3, nodes M, N, and X are the guard nodes of the link
from X to A. Information from each packet sent from X to A is saved in a watch buffer at each guard. The
information includes the packet identification and type, the packet source, the packet destination, the packet’s
immediate sender (X), and the packet’s immediate receiver (A). The guards expect that A will forward the packet
towards the ultimate destination, unless A is itself the destination. Each entry in the watch buffer is time stamped
11
with a time threshold,t, by which A must forward the packet. Each packet forwarded by A with X as a previous
hop is checked for the corresponding information in the watch buffer.
S DB X
M
N
A
AX
YThe transmission range of node Y
Figure 3: X, M, and N are guards of the link from X
to A
A malicious counter (MalC(i,j)) is maintained at each
guard node, i, for a node, j, at the receiving end of each
link that i is monitoring. MalC(i,j) is incremented for
any malicious activity of j that is detected by i. The
increment to MalC depends on the nature of the
malicious activity detected, e.g., Vf for fabricating and
Vd for dropping a control packet.
Now, we present the detection algorithm individually for each of the first four wormhole attack modes and
show how existing approaches can be used to detect the fifth mode. However, prior to that, we give the isolation
and the response algorithm that applies across all the attack modes
4.2.2 Response and Isolation Algorithm
(i) When MalC(a,A) crosses a threshold, Ct , a revokes A from its neighbor list, and sends to each neighbor of A,
say D, an authenticated alert message indicating A is a suspected malicious node. This communication is
authenticated using the shared key between a and D to prevent false accusations. Alternately, if the clocks of
all the nodes in the network are loosely synchronized, a can do authenticated local two-hop broadcast as in
[29] to inform the neighbors of A.
(ii) When D gets the alert, it verifies the authenticity of the alert message, that a is a guard to A, and that A is D’s
neighbor. It then stores the identity of a in an alert buffer associated with A.
(iii) When D gets enough alert messages, γ, about A, it isolates A by marking A’s status as revoked in the neighbor
list. We call γ the detection confidence index of D.
(iv) After isolation, D does not accept or send any packet to a revoked node. Note that this isolation is performed
locally within the neighbors of the malicious node. This makes the response process quick and lightweight,
and has the desired effect of removing the malicious nodes from the network.
12
4.2.3 Detecting Different Modes of Wormhole Attacks
Detecting out-of-band and packet encapsulation wormholes
(i) A guard node a for a link, say from X to A, saves information from the packet header of each control packet
going over the link and time stamps it with the deadline t.
(ii) a overhears every packet going out of the receiver end of the link, A. For all the packets that A claims has
come from X, α looks up the corresponding entry in its watch buffer.
(iii) If an entry is found, a drops that entry since the corresponding packet has been correctly forwarded.
(iv) If an entry is not found, then A must have fabricated the packet. a increments MalC (a,A) by Vf.
(v) If an entry for a packet sent from X to A stays in the watch buffer beyond t, then A is accused of dropping the
corresponding packet. a increments MalC(a,A) by Vd.
Consider the scenario in Figure 4. M1 and M2 are two malicious nodes wishing to establish a wormhole
between the two nodes S and D. When M1 hears the REQ packet from S, it directs the packet to M2. Node M2
rebroadcasts the REQ packet after appending the identity of the previous hop from which it got the REQ. Node M2
has two choices for the previous hop — either to append the identity of M1, or append the identity of one of M2’s
neighbors, say X. In the first choice all the neighbors of M2 will reject the REQ because they all know, from the
stored data structure of the two-hop neighbors, that M1 is not a neighbor to M2. In the second case, all the guards
of the link from X to M2 (X, m, and l) will detect M2 as fabricating the route request since they do not have the
information for the corresponding packet from X in their watch buffer.
S
DC
M1 M2
A E F
Good node Malicious node
a
b
d
gZ
The legitimate path without wormhole An out-of-band channel between M1 and M2
A path between M1 and M2 for encapsulation
X
l
my
Figure 4: Wormhole detection for out-of-
band and packet encapsulation modes
In both cases M2 is detected, and the guards increment
the MalC of M2. In addition, the REP packet may also be
used for detection of M1 and M2. When D gets the REQ,
it generates a route reply packet, REP, and sends it back
to M2. The guards of the link from D to M2 (D, m, and y)
overhear the REP and save an entry in their watch
buffers.
13
Node M2 sends the route reply back to M1 using the out-of-band channel or packet encapsulation. After t time
units, the timers in the watch buffers of the guards D, m, and y run out, and thus the guards detect M2 as dropping
the REP packet and increment the MalC of M2. However if M2 is smarter, it can forward another copy of the REP
through the regular slower route. In this case, MalC of M2 is not incremented. When M1 gets the REP from M2, M1
forwards it back to S after appending the identity of the previous hop. As before, M1 has two choices — either to
append the identity of M2, or append the identity of one of M1’s neighbors, say Z. In the first choice, node S rejects
the REP because it knows that M2 is not a neighbor to M1. Also, all the neighbors of M1 know that M2 is not a
neighbor to M1. In the second case, all the guards of the link from Z to M1 detect M1 as forging the REP since they
don’t have the corresponding entry from Z in their watch buffers.
Detecting high power transmission wormhole
This mode is detected using the assumption of symmetric bi-directional channels. Suppose a malicious node,
say X, tries to use high power transmission to forward a packet P1 to it is final destination, or to cross multiple
hops to introduce itself in the shortest path. Then all the nodes for which X is not in their neighbor lists detect the
malicious behavior of X and reject P1.
Detecting packet relay wormhole
This mode is detected using the stored neighbor lists at each node. Suppose a malicious node X is a neighbor to
two non-neighbor nodes A and B and tries to deceive them by relaying packets between them. Both A and B detect
the malicious behavior of X since they know that they are not neighbors and reject the relayed packet.
Detecting protocol deviation wormhole
This mode can not be detected using LITEWORP. Researchers have proposed techniques for countering selfish
behavior in specific protocols. Selfishness refers to the property that nodes may tend to deny providing
cooperating services to other nodes in order to save their own resources, e.g., battery power. Kyasanur et al. have
addressed the problem of greediness at the MAC layer [30], while Buttyán have addressed selfishness in packet
forwarding [28]. Hu et al. have proposed a solution to an attack, called the rushing attack, in which nodes greedily
forward the route request passing through them without back off [16].
14
5 LITEWORP Analysis
5.1 Coverage Analysis
In this section, we characterize the probability of missed detection and false detection as the network density
increases and the detection confidence index γ varies. The results provide some interesting insights. For example,
we are able to compute the required network density d to detect p% of the wormhole attacks for a given γ.
Consider a homogeneous network of nodes where the nodes are uniformly distributed in the field. For
simplicity, we assume that the field is large enough that edge effects can be neglected in our analysis. Consider
any two randomly selected neighbor nodes, S and D, as shown in Figure 5(a). S and D are separated by a distance
x, and the communication range is r. The value of x follows a random variable with probability density function
of f(x) = 2x/r2 with range (0,r). This follows from the assumption of uniform distribution of the nodes.
G
S D
(a) (b)
S X
r
DS X
r
DD
Figure 5: (a) The area from which a node can
guard the link between S and D; (b) Illustration for detection accuracy
The guard nodes for the communication between S and D
are those nodes that lie within the communication range of S
and D, the shaded area in Figure 5(a). This area is given by
( )2
2 1 2( ) 2 cos 22 4x xArea x r x rr
− ⎛ ⎞= − −⎜ ⎟⎝ ⎠
.
The minimum value of Area(x), Areamin, is when x = r.
Therefore, the minimum number of guards 2min min 0.36g Area d r d= = .The expected value of the area
[ ] ( )2
2 1 2 2 22
0
2 2 1( ) 2 cos 2 1.62 4 3 2
r x x xE Area x r x r dx r rr r
π−⎧ ⎫⎪ ⎪⎛ ⎞ ⎛ ⎞ ⎛ ⎞= − − = − ≈⎨ ⎬⎜ ⎟ ⎜ ⎟ ⎜ ⎟
⎝ ⎠ ⎝ ⎠ ⎝ ⎠⎪ ⎪⎩ ⎭∫ . Therefore, the expected
number of guards 2[ ( )] 1.6g E Area x d r d⎢ ⎥= = ⎣ ⎦ . The number of neighbors of a node is given by 2BN r dπ= ,
thus2 1 0.513 2 B Bg N N
π⎛ ⎞= − ≈ ⎢ ⎥⎣ ⎦⎜ ⎟⎝ ⎠
⎯⎯⎯⎯⎯ (I).
Now, as in [33] where IEEE 802.11 was analyzed, we assume that each packet collides on the channel with a
constant and independent probability, PC. As shown in Figure 5(b), a guard G will not detect a fabricated packet
sent by D, claiming it was received from S, if G experienced a collision at the time that D transmits. Thus, the
15
probability of missed detection is PC. Assume that m packet fabrications occur within a certain time window, T.
Also assume that a guard must detect at least β fabrications to cause the MalC for a node to cross the threshold,
and thus generate an alert. Then, the alert probability at a guard is given by ( ) ( )| 1 i iC C
i
P P Pi
µµ
β µβ
µ −
=
⎛ ⎞= −⎜ ⎟
⎝ ⎠∑ . Thus,
assuming independence of collision events among the different guards, the probability that at least g of the guards
generate an alert is given by
( ) ( )|
| 1| |
0
( , , 1) !1 (1 )( , 1) ( 1)!( )!
Pg i g i g
i
B P gg gp P P u u dui B g g
β µβ µ γ γ
γ β µ β µγ
γ γγ γ γ γ
− − −≥
=
− +⎛ ⎞= − = = −⎜ ⎟ − + − −⎝ ⎠∑ ∫
where, ( , 1)B gγ γ− + is the Beta function and |( ; , 1)B P gβ µ γ γ− + is the incomplete Beta function.
Figure 6(a) shows the probability of detecting wormholes with m = 7, b=5, g =3, the number of compromised
nodes M = 2, and PC = 0.05 at NB = 3. The number of guards is determined from NB using Equation (I).
Thereafter, PC is assumed to increase linearly with the number of neighbors. Since the number of guards increases
as the number of neighbors increases, the probability of detection increases since it becomes easier to get the
alarm from g guards. However, the collision probability also increases with the number of neighbors, and thus the
probability of detection starts to fall rapidly beyond a point. Figure 10 shows that for the same m, b, and PC, the
probability of wormhole detection as a function of g when NB = 15 and M = 2. As g increases, the probability of
detection (P≥g) decreases.
0.000.200.400.600.801.00
3 7 11 15 19 23 27 31 35(a) Number of neighbors
P(w
orm
hole
det
ectio
n)
0.00
0.07
0.14
0.21
0.28
3 7 11 15 19 23 27 31 35(b) Number of`nodes
P( fa
lse
alar
m)X
10E-
6
Figure 6: (a) Probability of wormhole detection as a function of the number of neighbors; (b) Probability of
false alarm as a function of the number of neighbors As shown in Figure 5(b), a false alarm occurs when D receives a packet sent from S, while G does not receive
that packet, and later, G receives the corresponding packet forwarded by D. Thus, the probability of false alarm
16
is 2(1 )FA C CP P P= − . Assume that S sends m packets to D for forwarding, within a certain time window, T. The
probability that D is falsely accused is the probability that b or more packets are falsely suspected as fabricated.
This is given by ( ) ( )( | ) 1i iFA FA FA
i
P P Pi
µµ
β µβ
µ −
=
⎛ ⎞= −⎜ ⎟
⎝ ⎠∑ , and the probability that at least γ guards generate false
alarms is given by
( ) ( )( | )
( | ) 1( | ) ( | )
0
( , , 1) !1 (1 )( , 1) ( 1)!( )!
FAPg i g i FA gFA FA FA
i
P gg gp P P u u dui g g
β µβ µ γ γ
γ β µ β µγ
β γ γβ γ γ γ γ
− − −≥
=
− +⎛ ⎞= − = = −⎜ ⎟ − + − −⎝ ⎠∑ ∫
Figure 6(b) shows the probability of false alarm as a function of the number of nodes for the same parameters
as in Figure 6(a). The non monotonic nature of the plot can be explained as follows. As the number of neighbors
increases, so does the number of guards. Initially, this increases the probability that at least γ guards miss the
packet from S to the guard but not from D to the guard, leading to false detection at these γ guards. But beyond a
point, the increase in the number of neighbors increases the collision probability. This increases the probability
that both of these packets are missed at the guard and thus does not lead to false detection. The worst case false
alarm probability is still negligible (less than 0.3×10-6).
5.2 Cost Analysis
In this section, we show the memory, the computation, and the bandwidth overheads of LITEWORP to evaluate
its suitability to resource-constrained environments.
Memory overhead: We need to store the first and the second hop neighbor lists, the watch buffer, and the alert
buffer. The identity of a node in the network is 4 bytes. Reusing the notation from the previous section, the size of
neighbor list is NBL = pr2d entries. Each entry in the NBL needs 5 bytes; 4 for identity of the neighbor and 1 for
the MalC associated with that neighbor. So the total NBL storage, NBLS=5(πr2d)2. For example, for an average of
10 neighbors per node, NBLS is less than half a kilobyte. The alert buffer has g number of 4 byte entries. The
watch buffer size depends on the average number of hops between a source-destination pair, h, the frequency of
route establishment, f, as well as the density of the nodes. To find the average number of nodes involved in
watching a REP, we create a rectangular bounding box containing nodes that may overhear the REP sent from A
to B (Figure 7). This is an overestimate since we use a square that circumscribes the circular transmission range.
17
A Br2r
(h+1)r
r
Communication rangeA sensor node A-B Bounding path
Figure 7: The average number of nodes involved in the watch of a route reply
The number of nodes involved in monitoring
is 22 ( 1)REPN r h d= + . Thus, given N as the total
number of nodes in the network, each node is
involved in watching ( / )REPN N f route replies
per unit time.
For example, if N=100 nodes, h = 4 hops, and f = 1 route every 4 time units, then NREP = 17, and each node
watches only 4 route replies every 100 time units. Because the time t for which the packet is kept in the watch
buffer is relatively small (may be less than one time unit), a watch buffer size of 4 entries is more than enough for
this example. Each entry in the watch buffer is 20 bytes: 4 bytes each for the immediate source, the immediate
destination, and the original source, and 8 bytes for the sequence number of the REP. If we include the route
request in the watch, then each node will be involved in watching ( / )REPf N N f+ . That requires each node to
watch 4 packets every 16 time units; again 4 entries are still sufficient for the watch buffer.
Computation and Bandwidth overhead: Each watched route reply requires one lookup for the current source
and the current destination in the neighbor list, adding an entry to the watch buffer (incoming) or deleting an entry
from the watch buffer (outgoing), and may be another addition and deletion from the watch buffer (if a node is a
guard for two consecutive links). Since the size of the watch buffer and the neighbor list structure are relatively
small, the computation time required for these operations is negligible. For example, a lookup in a 100 entry
buffer takes the MICA mote with an Atmega128 4 MHZ processor, about 2m seconds. The bandwidth overhead is
incurred after deployment of a node for neighbor discovery and in the case of wormhole detection for informing
the neighbors of the detected node. This is therefore a negligible fraction of the total bandwidth over the lifetime
of the network.
Thus, due to the low resource overheads, LITEWORP is suitable for use in resource-constrained wireless
environments.
18
6 Simulation Results
We use the ns-2 simulation environment [34] to simulate a data exchange protocol, individually in the baseline
case without any protection, and with LITEWORP. We distribute the nodes randomly over a square field with a
fixed average node density. Thus, the field size varies (80×80 m to 204×204 m) with the number of nodes. We use
a generic on-demand shortest path routing that floods route requests and unicasts route replies in the reverse
direction. A route, once established, is not used forever but is evicted from the cache after a timeout period
expires (TOutRoute). When a malicious node hears a route request, it directs the request to all the malicious nodes
in the network using an out-of-band channel or using packet encapsulation. For packet encapsulation, we assume
that the colluding nodes always have a route between them. We simulate the out-of-band channel by letting the
compromised nodes deliver the packets instantaneously to their colluding parties. These two schemes exercise the
principal feature of LITEWORP, namely, local monitoring and are the most challenging to mitigate. Hence, we
simulate them in preference to other modes of attack. After a wormhole is established, the malicious nodes at each
end of the wormhole drop all the packets forwarded to them.
Each node acts as a data source and generates data using an exponential random distribution with inter-arrival
rate of m. The destination is chosen at random and is changed using an exponential random distribution with rate
x. The input parameters with the experimental values are given in Table 2. The output parameters include the
isolation latency, the number of data packets dropped due to the wormhole, the number of routes established, and
the number of routes affected by the wormhole. The simulation also accounts for losses due to natural collisions.
The isolation latency is calculated from the time a malicious node starts a wormhole attack until it is completely
isolated by all of its neighbors. The guards inform all the neighbors of the detected malicious node through
multiple unicasts. The output parameters that we present here are obtained by averaging over 30 runs. For each
run, the malicious nodes are chosen at random such that they are more than 2 hops away from each other.
Parameter Value Parameter Value Parameter Value Tx Range (r) 30 m g 2-8 Total # nodes (N) 20,50,100,150 NB 8 m 1/10 sec x 1/200 sec TOutRoute 50 sec M 0-4 Channel BW 40 kbps b 5 t 0.5 sec T 200
Table 2: Input parameter values for LITEWORP simulations
19
Figure 8 shows the number of packets dropped as a function of simulation time for the 100-node setup with 2
and 4 colluding nodes both with LITEWORP and without LITEWORP. The attack is started 50 sec after the start of
the simulation. Since the numbers are vastly different in the two cases, they are shown on separate Y-axes; the
axis on the left corresponds to the baseline case and the axis to the right corresponds to the system using
LITEWORP. In the baseline case, since wormholes are not detected and isolated, the cumulative number of packets
dropped continues to increase steadily with time. But in the LITEWORP case, as wormholes are identified and
isolated permanently, the cumulative number stabilizes. Notice that the cumulative number of packets dropped
grows for some time even after the wormhole is locally isolated at 75 sec, due to the cached routes that contain
the wormhole and continue to be used till route timeout occurs.
100-node scenario
0
500
1000
1500
2000
2500
3000
3500
0 50 100 200 300 400 500 600
Simulation time
With
out L
iteW
orp
020406080100120140160
With
Lite
Wor
p4 w/o LiteWorp2 w/o LiteWorp4 w/ LiteWorp2 w/ LiteWorp
Figure 8: Cumulative number of dropped packets
with and without LITEWORP
100-node scenario
0.00
0.20
0.40
0.60
0.80
0 1 2 3 4# compromised nodes
With
out L
iteW
orp
0.0000
0.0020
0.0040
0.0060
0.0080
0.0100
0.0120
With
Lite
Wor
p
fr. droppedfr. mal routesfr. dropped (LiteWorp)fr. mal route(LiteWorp)
Figure 9: Fraction of dropped packets and
malicious routes with and without LITEWORP Figure 9 shows a snapshot, at simulation time of 2000 sec, of the fraction of the total number of packets
dropped to the total number of packets sent, and the fraction of the total number of routes that involve wormholes
to the total number of routes established. This is shown for 0-4 compromised nodes for the baseline and with
LITEWORP. With 0 or 1 compromised node, there is no adverse effect on normal traffic since no wormhole is
created. The relationship between the number of dropped packets and the number of malicious routes is not linear.
This is because the route established through the wormhole is more heavily used by data sources due to the
aggressive nature of the malicious nodes at the ends of the wormhole. If we track these output parameters over
time, with LITEWORP, they would tend to zero as no more malicious routes are established or packets dropped,
20
while without LITEWORP they would reach a steady state as a fixed percentage of traffic continues to be affected
by the undetected wormholes.
50-node scenario
0
0.2
0.4
0.6
0.8
1
1 2 3 4 5 6 7 8
Detection confidence index
P(D
etec
tion)
0
6
12
18
24
30
Isol
atio
n la
tenc
y
Sim P(detection)Ana P(detection)sim isolation latency
Figure 10: Detection probability and latency with
varying g
Figure 10 bears out the analytical result for the
detection probability as γ is varied with NB = 15 and M=
2. As γ increases, the detection probability goes down
due to the need for alarm reporting by a larger number
of guards, in the presence of collisions. Also the
isolation latency goes up, though it is very small (less
than 30 s) even at the right end of the plot.
7 Conclusion and Future Work
We propose to investigate the extension of LITEWORP to mobile ad-hoc and sensor networks. The
fundamental requirement is the ability of a node to securely determine its first hop and second hop neighbors in
the face of mobility. We can augment LITEWORP with existing work on dynamic secure neighborhood
determination protocols, e.g., [15],[16] to achieve the goal as in static networks. However, we are also
investigating an alternate design of LITEWORP that is customized to mobile networks.
In this paper, we have presented a taxonomy for attack modes used to launch the wormhole attack in multihop
wireless networks. We have presented a protocol called LITEWORP that incorporates a detection protocol and an
isolation protocol. The detection protocol can be applied for detecting each mode of the wormhole attack except
the protocol deviation. The fundamental mechanism used is local monitoring whereby a node monitors traffic in
and out of its neighboring nodes and uses a data structure of first and second hop neighbors. LITEWORP isolates
the malicious node and removes its ability to cause future damage. The coverage analysis of LITEWORP brings out
the variation of probability of missed detection and false detection with increasing network density. The cost
analysis shows that LITEWORP has low storage, processing, and bandwidth requirements. These, together with the
fact that no specialized hardware is required, make the protocol ideally suited to resource-constrained wireless
networks, such as sensor networks.
21
8 References
[1] B. Dahill, B. N. Levine, E. Royer, and C. Shields, “A secure routing protocol for ad-hoc networks,” Electrical Engineering and Computer Science, University of Michigan, Tech. Rep. UM-CS-2001-037, August 2001.
[2] Y.-C. Hu, D. B. Johnson, and A. Perrig, “SEAD: Secure efficient distance vector routing for mobile wireless ad hoc networks,” in Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA 2002), June 2002, pp. 3-13.
[3] Y.-C. Hu, A. Perrig, and D. B. Johnson, “Ariadne: A secure on-demand routing protocol for ad hoc networks,” Department of Computer Science, Rice University, Tech. Rep. TR01-383, December 2001.
[4] P. Papadimitratos and Z. Haas, “Secure routing for mobile ad hoc networks,” in SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002), January 2002.
[5] C. Intanagonwiwat, R. Govindan, and D. Estrin, “Directed diffusion: A scalable and robust communication paradigm for sensor networks,” in Proceedings of the 6th Annual International Conference on Mobile Computing and Networks (MobiCOM 00), August 2000.
[6] D. Ganesan, R. Govindan, S. Shenker, and D. Estrin, “Highly-resilient, energy-efficient multipath routing in wireless sensor networks,” Mobile Computing and Communications Review, vol. 4, no. 5, October 2001.
[7] F. Ye, A. Chen, S. Lu, and L. Zhang, “A scalable solution to minimum cost forwarding in large sensor networks,” at the 10th International Conference on Computer Communications and Networks (ICCCN), 2001, pp. 304-309.
[8] D. Braginsky and D. Estrin, “Rumor routing algorithm for sensor networks,” at the 1st ACM International Workshop on Wireless Sensor Networks and Applications (WSNA), 2002.
[9] C. E. Perkins and P. Bhagwat, “Highly dynamic destination-sequenced distance-vector routing (DSDV) for mobile computers,” In ACM SIGCOMM Conference on Communications Architectures, Protocols and Applications, 1994.
[10] D. Johnson, D. Maltz, and J. Broch, “The Dynamic Source Routing Protocol for Multihop Wireless Ad Hoc Networks,” in Ad Hoc Networking, C. Perkins, Ed., Addison-Wesley, 2001.
[11] C. Karlof and Y. Li, J. Polastre, “ARRIVE: Algorithm for Robust Routing in Volatile Environments,” Technical Report UCB//CSD-03-1233, March 2003.
[12] C. Karlof and D. Wagner, “Secure Routing in Sensor Networks: Attacks and Countermeasures,” at the 1st IEEE International Workshop on Sensor Network Protocols and Applications, May, 2003.
[13] S. Marti, T. J. Giuli, K. Lai, and M. Baker, “Mitigating routing misbehavior in mobile ad hoc networks,” at the 6th ACM International Conference on Mobile Computing and Networking (MobiCOM), 2000.
[14] Y. C. Hu, A. Perrig, and D.B. Johnson, “Packet leashes: a defense against wormhole attacks in wireless networks,” in Proceedings of the 22nd Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM), pp. 1976-1986, 2003.
[15] L. Hu and D. Evans, “Using Directional Antennas to Prevent Wormhole attacks,” in Network and Distributed System Security Symposium, 2004.
[16] Y. C. Hu, A. Perrig, and D. Johnson, “Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols,” ACM Workshop on Wireless Security (WiSe 2003) September 19, 2003.
[17] K. Sanzgiri, B. Dahill, B. N. Levine, C. Shields, and E. Belding-Royer, “A Secure Routing Protocol for Ad hoc Networks,” in Proceedings of the 10th IEEE International Conference on Network Protocols (ICNP 02), November 2002.
[18] S. Zhu, S. Xu, S. Setia, and S. Jajodia, Establishing Pair-wise Keys For Secure Communication in Ad Hoc Networks: A Probabilistic Approach, in the 11th IEEE International Conference on Network protocols (ICNP’03), Atlanta, Georgia, November 4-7, 2003.
[19] W. Du, J. Deng, Y. Han, and P. Varshney, “ A Pairwise Key Pre-distribution Scheme for Wireless Sensor Networks,” in Proceedings of the 10th ACM conference on Computer and communication security (CCS’03), Washington D.C., USA October 27-30, 2003.
[20] D. Liu and P Ning, “Establishing Pair-wise Keys in Distributed Sensor Networks,” in Proceedings of the 10th ACM conference on Computer and communication security (CCS’03), Washington D.C., USA October 27-30, 2003.
[21] C. E. Perkins and E. M. Royer, “Ad-Hoc On-Demand Distance Vector Routing,” in Proceedings of the Second IEEE Workshop on Mobile Computing Systems and Applications (WMCSA’99), pp. 90-100, February 1990.
[22] A. Qayyum, L. Viennot, and A. Laouiti, “Multipoint Relaying: An Efficent Technique for Flooding in Mobile Wireless Networks,” Technical Report Research Report RR-3898, project HIPEERCOM, INRIA, February 2000.
22
[23] B. Bellur and R. G. Ogier, “ A Reliable, Efficient Topology Broadcast for Dynamic Networks,” in Proceedings of the 18th Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM’99), pp. 178-186, March 1999.
[24] Defense Advanced Research Projects Agency. Frequently Asked Questions v4 for BAA 01-01, FCS Communications Technology. Washington, DC. Available at http://www.darpa.mil/ato/solicit/baa01_01faqv4.doc, October 2000.
[25] Y. Ko, V. Shankarkumar, and N. Vaidya, “Medium access control protocols using directional antennas in ad hoc networks,” in Proceedings of the 19th Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM), pages 13–21, 2000.
[26] R. Choudhury, X. Yang, R. Ramanathan, and N. Vaidya, “Using directional antennas for medium access control in ad hoc networks,” at the 8th ACM International Conference on Mobile Computing and Networking (MobiCOM), 2002.
[27] B. Awerbuch, R. Curtmola, D. Holmer, C. Nita-Rotaru, and H Rubens, “Mitigating Byzantine Attacks in Ad Hoc Wireless Networks,” Department of Computer Science, Johns Hopkins University, Tech. Rep. Version 1, March 2004.
[28] S. Capkun, L. Buttyán, and J.-P. Hubaux, ”SECTOR: Secure Tracking of Node Encounters in Multi-hop Wireless Networks,” in Proceedings of the 1st ACM workshop on Security of ad hoc and sensor networks (SASN 03), pp.21-32, 2003.
[29] D. Liu and P. Ning, “Efficient Distribution of Key Chain Commitments for Broadcast Authentication in Distributed Sensor Networks,” in Proceedings of the 10th Annual Network and Distributed System Security Symposium (NDSS), pages 263-276, February 2003.
[30] P. Kyasanur and N. H. Vaidya, “Detection and handling of MAC layer misbehavior in wireless networks,” in Proceedings of the International Conference on Dependable Systems and Networks (DSN ’03), pp. 173- 182, 2003.
[31] S. Buchegger and J.-Y. Le Boudec, “Performance analysis of the CONFIDANT protocol,” in Proceedings of the 3rd ACM International Symposium on Mobile Ad Hoc Networking and Computing (MobiHoc), pages 226-236, June 2002.
[32] Ralph C. Merkle, “Protocols for Public Key Cryptosystems,” in Proceedings of the IEEE Symposium on Security and Privacy, 1980.
[33] G. Bianchi, “Performance analysis of the IEEE 802.11 Distributed Coordination Function,” in IEEE Journal on Selected Areas in Communications, 18(3):535-547, March 2000.
[34] “The Network Simulator - ns-2,” At: http://www.isi.edu/nsnam/ns/